Thursday, May 31, 2012

My Rightscon Rio Live blog Day 1: Privacy and Data Protection Online: How Companies, Governments, and Users Can Promote Online Privacy

[Disclaimer: This is meant to be completely separate from Access' Live Blog.  This is all my notes and my perspective of what was said, with at least 20% more snark.]

Privacy and Data Protection Panel

[Gap in English translation]  The major issue to deal with here is building of new methods and regulations and technical solutions to protect and enforce protection provisions on the Web.

Start with Prof. Nelson and theoretical discussion of privacy, how it has changed recently, and later broader issue of online privacy.

The major issue is relevance.  I think that historically we had two reasons for data protection: (1) human rights, [brain fart], (2) circulation of data, econ integration, since the 70s we have seen laws originally from Germany....7 countries with privacy laws that follow European model, and
strategies to foster data protection.

Education is of course important, how to use laptops, etc.

Companies need to know that this is an important asset (the translation overlaid on the Portuguese is distracting here)

[btw, many Skype server nodes are run by MSFT, learned over lunch]

Morozov, why couldn't you make it here?

Sarah Altschuler: First, I work through a corp. social responsibility law practice.  When we talk to companies about policy, we put it in a human rights practice.  For many companies, this stuff is about compliance, not human rights.  Ex. trying to push UN human rights criteria for online privacy
We work on how comps protect privacy as a human rights concern.  If the company has developed certain principles around protection of user data, then they are understood all up and down the chain of command, board to code monkeys.

We also talk about biz practices on what data you need to collect and how long, and where is it stored.  We frequently talk about location of data stores and do due diligence on countries where that data stored (Goog and Kazakhstan much?), and when it's ok to say we can't put a data center in country X.

Comm. for users, edu. component is key.  How are users engaged with platform, understand terms of service/their obligations/options.

How we make sure that requests for data are compliant with local law, and how/where they can push back.
Here there can be a large role for public sector, so U.S. can say back up dialogue with repressive regimes.  Still not dealing with repression from "the East" (Russia/Ukraine)

Q: We've been seeing some companies getting and abusing data, can you comment on some strategies that have tried to tackle that?

This is one of those where it's incredibly important for dialogue across the company about policy on user data protection, because they're trying to monetize it (predictive analytics).  But can be a problem of "What's our 3/5 year plan?" and other parts "how can we minimize disclosure and sharing?"  Can't be in separate compartments.  Some of this is what users are willing to tolerate, some of it is regulation (there was an allusion to "do not track" we'll get to later)

Bruno Magrani: Mario, We've been seeing a number of strategies adopted by companies about downloads and self-regulation.  There's some criticisms (not enough!), but what I'd like you to comment on is what are the self-regulation strategies out there now.  Are they efficient or not? 

Mario: I represent the insurance industry, which is very used to dealing with information, which is very vital to it and how it does business.  There's a number of databases involved, re: vehicles, customs, delicate information.  So the insurance sector has been dealing with data forever, and of course the volume of data has exploded of late.  So this sector--we have to view the consumer all the time, and s/he isn't passive anymore, they want information, they want to participate.  When you deal with insurance [not liking this translator, or maybe it's just me], so we decided to try to take a step ahead and get ahead of the legislation.  We're all in favor of it...now the insurance sector can't just wait for legislation, we have to deal with a situation that already exists, so we have some kind of regulatory framework (something like PCI-DSS? yes, exactly like PCI-DSS), and if you don't comply, you can be subjected to various sanctions (loss of business, bad press, etc.)
In Brazil, the insurance biz. wants to be a pioneer in self-regulation practices, even ahead of the government. 

Back to Magrani: In the distinction between regulation and self-regulation, can you say some more on this topic in terms of FTC trying light "we don't want to break it" approach, or whether this has been effective in protecting user's privacy online and [something about business models]

Altschuler:  It's hard to tell if this User's Bill of Rights thing has been effective.  I'm a Washington lawyer, I don't expect Capitol Hill to make sense, and we're dealing with an institution that doesn't understand these issues all that well.  Also a problem, since the biz. community would rather self-regulate than deal with "series of tubes" people.  We work a lot with GNI, where you commit to principles, but it isn't one size fits all.  Do you have practices/processes out for ind. review and assessment, and are you engaging with civil society groups on this?  I see that as part of the effort to get companies on board with self-regulation.  We have another practice in our firm on sec. and data privacy specifically.  We're working very much on compliance and data breach policy, and there you have a lot of significant fines for data breaches.  I'm not one to think that tech. isn't the full answer, but we really don't have a lot of legislators who understand this, and so I very much prefer self-regulation.

Magrani: More technical approach to data protection?

JAKE APPLEBAUM!!!:  First I think everyone has right to speak freely and to read.  So we have to talk about privilege a little bit, so to talk about privacy, we have to talk about how companies are incentivized to do what we want.  In some cases, insurance industry is surveillance industry, they surveill an area to determine rates.   Facebook can be recontextualized as Stasibook, given opportunities for snitching and spying.  In the case of Skype, my understanding is that when MSFT acquired Skype, they agreed to add lawful intercept (read: spy) capabilities.  But when your tech. is reduced to whether or not you have due process, you have failed (WIN!).  So there have been several cases where Skype has been weakened (ex. CALEA), so for Skype to comply with these laws, they leave everyone in a vulnerable state, and instead of making these kinds of compromises, companies like Skype should be pushing for end-to-end secure communication.  We should have something like Diaspora, and maybe that will work, but the $$$ really comes from surveillance, and it's very hard that way to get Facebook to throw away its pool of money.  We need to recontextualize this like safe sex, we have a responsibility to ourselves and others for secure communications, and when we don't use it, there is a transitive danger to others.

Look these up, he recommends them, therefore they're cool
ZRPT
OSTel - can install on your phone tomorrow
TechSecure from Moxie Marlinspike (a little Googling and looking at Marlinspike's site (which is worth a visit regardless) didn't show anything.  Post a comment if you know what he was referring to)
RedPhone
CryptoPhone
Gipsi (sp? Again, not sure what he was referring to)

J.A: Companies can still make money on this, and with tech. like this
First, we have to admit there's a problem, first the police and later the state.
For the FBI to intercept my phone calls, her phone has to be insecure, and then someone can track her and all her calls
For that to happen, we all have to have the same problem.  We can stop this, at the cost of not listening to my phone calls
This can't happen without large econ. incentives to change the way we look at this stuff.  OSTel has built a full telecom system with full secure encryption.  We all need to make a decision that all being secure, including the bad guys beats all insecure with some bad guys caught.

Magrani: How can we convince governments/ incentivize them to demand more security protections?

Other guy: We are in a society with different players.  How many of you have decided to accept ??????  another thing, that issue of self-regulation...[sorry, the double speech (Portuguese and English translation) is a huge problem here.]Claims there are no borders on Internet and now very self-

[Network made my computer barf for a sec, not much lost in interim]

Not sure if I'm not paying close enough attention, or he's not actually saying anything.  Happens all the time with lawyers.
From what I am getting, he's talking completely past what Applebaum said
yup, if you want all of this, see the legit liveblog.  So, who's here?  Yeah, I got nuthin'.

How long has this guy been talking?  30 minutes?  Made mention of national sec. exceptions

after notes on paper from Applebaum: 1st, we should question idea that state has power to suspend rights.  Ex. in Greece '06 & Vodafone PM & several pols were tapped, guy behind it found suicided.  Creates real risk of abuse that previously belonged to the military. Internet challenges the national security state  If Google can  be compromised by the Chinese, no one can do better.  To me it's very scary to hear people talk about state as if it's perfect.  How many cops who have committed police brutality on Internet?  Lots more than child pronographers.  If we want to give privacy, we have to give to the bad guys as well.

Response: ...yeah..

Questions: From developer, question for Applebaum, I understand need to keep Tor intact, but where does the line need to be drawn for privacy?  Should we go further and say cops can't follow people in the street?  CCTV?  Cameras?
Applebaum: I'll see your trolling and raise you.  It's important to point out we're talking about expansion of police powers.  History with FBI has not been exclusively that they will be used as sold.  Does cop have right to follow you?  Maybe.  Should you have right to impersonate a cop and follow? Maybe on halloween.
From analog sense, it's like every road should have cameras and mics, and only some people have access to that equip.  This is not a world I want to live in.  I don't want a world where cops can do covert surveillance.  We should not allow the Internet to go in ways that society should not have gone but has gone anyways.  Not building backdoors is a matter of accountability.  Prob. here is sec. agencies get a free pass.  We don't know from facts that they're being honest.  With technology, we can equalize much of this (this is a big leap from the way I've thought, but I kinda like it).

What is a best practice for an insurance company that does surveillance?  It's not clear that beyond regulations, corporations have any incentive to make a decision to keep data private

A. Altschuler: I do see a role for regulation.  Large fines for data breaches have incentivized beefing up on data security.  I think in some of the more iterative conversations.  I think there's a lot of a role for multi-stakeholder approach (take a shot, we've expanded the drinking game now beyond mentions of the Arab Spring)

Question: From judge from state of Rio de Janeiro, concern in terms of privacy.  Is there any means to virtualize a page with false data in false social network, e.g. web page with false data?

[Here the double-speak plus probably my own exhaustion took over.]
END

No comments:

Post a Comment